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Tide 

Authenticating Intemet 



protocol Op) drtatranalarrod between a mobile terminal and a networicnode 

(57) A method of facilitating the authentication of IP data transfer between a mobile vinreless terminal 4 and a 
n^rlc^ 2 A wm^eTis used to generate a pubrK^prn^e key pair, whilst a certificate Quarajrtee.^ that 
ilC^^S^ unique identifier allocated to a subscriber is obtained from a CA a TTia key 

Sr^d^L oaSe are stored on a subscriber identity module (SIM) card 9 which te then «upled to the 
moWte vSi«^ terminal 4 so tiiat processing means of the terminal 4 can acc^ the key tfie 
SrtiSLrfo??^ in authenticating Itself to a remote node 2. The terminal is authonsed to access services of 
tiie node 2 on the basis of the unique identifier. 
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At least one drawing originally filed was informal and the print reproduced here is taken from a later filed -omial copy. 

This print takes account of replacement documents submitted after the date of filing to enable the appBeation to comply 
with the formal requiremems of the Patents Rules 1995 
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Aathentication and Anthorisatloii Based Secore IP Connectioiis for Termfaab 

Tte present invention relates to Ae security of IP data transfer and in particular to 
fecilitating the authentication of IP data transferred between a mobile wireless termimd 
5 and a network node. 

Backfff ^ imd to the - Tiyyention 

IP comiections between mobile wireless terminals (such as mobUe telephones and 
10 communicators) and entities such as Intemet servers and corporate intranets are 
becoming increasingly popular. An organisation maintaining such a server or an 
intranet may wish to restrict access to sdected users, and to e^ 
between die server/imianet and those U8«s is secure. A necessary feature of a secure 
-Virtual Private Network" (VPN) is that the gateway to the server/intianet has some 
15 means ofautticiiticatiDg users (and vice versa). 

IPSec (Intemet Protocol Security) is a set of protocols defined by the Intemet 
Engineering Taskforce (RFC2401) whi«d» provides a security mechanism for IP and 
certain upper layer protocols such as UDP and TCP. ff Sec protects IP padeets and 
20 upper teyer protocols during transmission between peer nodes by introducm^ 

origm and encryptioiL 

In order to allow IPSec packets to be properly encapsulated and decapsulated it is 
necessary to associate security services (and parameters) between the traffic being 
25 transmitted and the remote node which is the intended recipient of the traffic. Hie 

construct used for this pmpose is a "Security Association" (SA). SAs are negotiated 
between peer nodes using a mechanism known as "Intemet Key Exchange" (KE), and 
are aUocated an identification known as a "Security Parameter Index" (SPI). The 
appropriate S A is identified to the receiving node by including the corresponding SPI in 
30 thelPSecheadcr. DetailsoftheexistingSAsandtherespectiveSPIsarem^ 
a Security Association Database (SAD) which is associated with each IPSec node. 
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The security of the process depends crucially on the security of the initial identification 
of the nodes involved. A corporate intrant gateway needs to be sure tiiat a mobile 
tominal initiating IKE is authorised to do so. IKE includes within it a mechanism to 
perform such authentication, as do other known medumisms such as SSL and TLS. All 
S of these mechanisms are based on public key cryptogr^hy and rely on the guarantee of 
a trusted (often independent) Certification Authority (CA) that a particular user is 
associated with a particular key. Each node must obtain a public-private key pair. 
Messages encoded with a node's private key can only be decoded with the 
corresponding public key» and those encoded with the public key can only be decoded 
10 witti the private key. Thus if a node srads a message encoded with tfie private key^ttie 
recipient can autfa^cate the message as coming from that node if he can decode the 
message using flie public key and if he can be sure that the public key is associated with 
that node. The CA's task is to ensure tiiat Ae association between public keys and 
nodes can be trusted. 

15 

This is achieved by ttie CA issuing certificates to the nodes at the same time as they 
obtain tbar mitial pubhc-private key pair. The certificate far a particular node may 
include the public key of that node together wifli the idoitity of the node. The 

c«tificate is "signed" with a signature of the CA and which may be generated for 
20 example by encrypting, using a private key of the CA, data extracted fiom the node's 
public key and identity. Thus another node receiving this certificate can be sure it was 
"signed" by the CA if it can be unencrypted using the public key of the CA. He can 
thai also be sure of the association between the first node and its public key. Other 
methods for producing signed cotificates are known. Using such guarantees, 
25 connections can be opened in a scalable way since not everybody needs to know 
everybody else befordiand: it is only necessary to know the public key of the CA. 

These mechanisms can theoretically be used by mobile wireless terminals such as 
mobile telephones. Li practice, howevo*, their dq>loyment is difficult for a number of 
30 reasons. 

Firstly, in order to participate in the authentication process of IKE, SSL, or TLS, a 
terminal needs a public-private key pair, as described above. The geaerdtion of &is key 
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pair requires a large amount of computational power, together wilh sophisticated 
software and preferably also a means for generating random numbers. MobUe wireless 
tenninals frequently do not have sufficient resources to cope with these demands. 

Furthermore, the terminal needs to obtain a certificate from a CA guaranteemg the 
association of the key pair, the user, and the CA. In order to do this, the user must 
provide identification information (which may for example require the user to attend the 
CA to present his or her passport), and must operate complex software on the terminal 
to correspond with the CA server over the IntemeL hi some cases, it is even necessary 
to copy and paste text between Ihe terminal's user interfiice and an Internet server. 
These are compHcated tasks on an oidinaiy mobUe terminal, especially for 
inexperienced usere. Again, the problem also arises fluit the terminal must have 
sufficient resources to rmi the complex software, and this is frequently not the case. 



IS g^^mmarv of the Invcptiop 

It is an object of the present mvention to overcome or at least mitigate ftie disadvantages 
noted in the preceding paragraphs. This and other objects aie achieved at least in part 
by prfr-storing keys and certificates created by a network operator on a SIM card fiw use 
20 by a mobile wireless traninaL 

According to a first aspect of the present invention, there is provided a method of 
facilitating the authentication of an ff data transfer between a mobile wireless terminal 
and a network node via a radio access network (RAN), the method comprising the steps 
25 of: 

goieratmg a piiblic-private key pair, 

obtaining a certificate containing said pubtic key. a unique identifier allocated to 
a subscriber, and a signature guaranteeing fliat the pubUc key is assodated with the 
unique identifier, the unique identifier being an identifier allocated to the terminal for 

30 frie purpose of using the RAN; 

storing the key pair and the certificate on a subscriber identity module (SIM) 

card; 
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coupling the SIM card to the mobile wireless terminal so that processing means 
of the terminal can access the key pair and the certificate; and 

sending the certificate to a network node, wherry the network node can use the 
certificate to authenticate tfie subscriber. 

5 

Embodiments of the present invention allow authentication data to be pre-calculated by 
a network operator or service provider, for example prior to the purchase of a terminal 
by a subscribe. The data is then stored on a SIM card which is inserted into a mobile. 
This avoids die need for the data to be genoated by the mobile terminal itself. 

10 

Preferably, the m^od comprises, at tibe network node, using the received cotificate to 
identify die subsoiber and detennining the subscriber's access rights using an access 
permissions database. 

IS It will be ^ipreciated that tfie mobile wireless tominal has the cqiability to register with 
a mobile telecommunications n^oik such as a GSM network or a UMTS n^ork. 
The tenninal may be a mobile telqihone or communicator or a PDA, or a palmtop or 
l^top c<Hiq>utar having mobile wireless ficilities (tfiis may be built in or could be in the 
form of a card inserted into a PCMCIA slot). Typically, the SIM card is insoted into a 

20 slot provided in the tominal (or card). 

The unique identity allocated to a subscriber may be the telephone mmib^ of &e 
subsaibor, or may be an International Mobile Subscriber Identity (IMSI) code. 

25 The certificate may be generated by a Certification Authority (CA) which "signs" the 
cotificate to guarantee the association of the key pair and the unique identifier. The 
SIM card records fiie unique identity and the operator of the mobile network is trusted 
to store key pairs and certificates on SIM cards having fho correct unique identifiers. 

30 It will be ^ypreciated that the IP data transfer between the mobile wireless tenninal and 
the network node may involve networics in addition to the RAN, e.g. a core network of a 
mobile telecommunications network, the Internet, and/or an intranet. 
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Accoiding to a second aspect of ttie present invention, thoe is provided a m^od of 
authoiticating IP data tiansfa betweoi a mobile wireless terminal and a netwoik node 
via a radio access n^oik (RAN), flie mobile terminal comprising a SIM card having 
stored thereon a publio^rivate key pair and a certificate containing at least the public 
key. a unique identifier being an identifier allocated to fbe tenninal for the purpose of 
using the RAN, and a signature guaranteeing that the public key is associated with the 
unique identifier, the method comprising: 

sending tbe certificate from die mobile tenninal to ibs node: 

auflienticating die tenninal using said certificate; and 

auOorising the tominal to access a service of the node on the basis of said 
identifier. 

The step of authorismg die terminal may conqnise looking iq> the unique identifier at 
the receiving node on a local database to find out if the niobile wireless tenninal (or its 

user) has access limits. 

The unique identifier may be, for example, an E.164 address or an international 
telephone number. These are boA identifiers vdiich are already presait on a SIM card 
and are unique to each mobile terminal, and so can be relied upon. 

The node may be, for example, a corporate security gateway or firewall 

Thus in order to authenticate a particular user, the organisation maintaining the network 
node must trust the network operator to ensure that the mapping of the certificate to die 
phone number is secure. The certificates mapped to the phone numbers (or oflier unique 
identifiers) act as a trae global Pubhc Key Infiastructure (PKI) and perform the 
authoitication part of die cormection to the network node. 

According to a third a^iect of the present invention there is provided a me&od of 
fecilitating the authentication of IP data transfer between a mobile wireless terminal and 
a network node, the method comprising die steps of: 

1) registering a subsoiber to a mobile wireless telecommunications netwodc; 

2) genorating a public-private key pair, 
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3) obtaining a certificate fit>in a certification auttiority (CA) containing at least 
die public key» a unique identifier being an identifier allocated to the tenninal for the 
purpose of using the teleconununications network, and a signature guaranteeing that the 
public key is associated with die unique identifier; 
S 4) storing the key pair and die certificate on a subscriber identity module (SI^ 

card; 

5) giving a mobile wireless terminal to the subscriber togedier with the SIM 
card; and 

6) coiq)ling the SIM card to die mobile wireless tenninal 

10 wherry processing means of the tenninal can access the certificate for sending to a 
remote node and the remote node can authenticate the subscriber on the basis of the 
certificate and can authorise access to services of the node on the basis of the unique 
identifier* 

IS It will be s^ipredated that the steps 1) to 6) need not be perfi)imed in the order set out 
For example, where the unique identifier is an IMSI code, stq> 1) may be performed 
after step 4). Step6)may be perfiinnedeithCT before or after step 5). 

Brief Description of the p^yw^nps 

20 

Figure 1 illustrates schonatically a Virtual Private Network (VPN) extending across the 
Intonet and a Public Land Mobile Network (PLMN); 

Figure 2 is a flow diagram illustrating a method of initialising a mobile terminal for 
25 allowing authentication; and 

Figure 3 is a flow diagram lowing the authentication of a mobile tenninal to allow the 
transfer of IP data across the coimection shown in Figure 1 . 

30 Detailed Descriptiofi of die Prefeffgd pmbo^iipent 

Figure 1 illustrates a typical scenario in which a mobile wireless terminal and a 
corporate intranet together form a Virtual Private Network (VPN). A corporate intranet 
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lis Connected Via a gateway 2 to the Internet 3. A remote mobUe wireless tenninal 4 
niay connect to the gateway via the totemet 3 and a Public Land Mobile Netwoik 
(PLMN) 5 such as a GSM network, llie mobUe terminal 4 may be for example a 
mobUe telephone or a PDA having wireless functionaKty. By using IPSec to control 
communication between the gateway 2 and the mobile tenninal 4 (and hence between 
the mobile terminal 4 and local hosts 6). a Virtual Private Network (VPN) may be 
established. The mobile terminal must negotiate at least one pair of SAs (one for 
sending data and one for recdving data) with the gateway 2 prior to exchanging user 

generated traffic with the intrant 5. 

Negotiation ofSAsiscaniedoutusingIntemetKeyExchange(IKE). Before KBcan 
start, each party must have a pubUc^mvate key pair and a certificate from a CA 
gMranteeing flie association of each party with its pubUc key. as described above in the 
badcground to the inventioiL 



15 



Tbe first stage of KE involves a Diffie-Helhnan exchange between the parties to 
generate a shared secret Using this shared secret Aey encrypt their certificates 
(containing Republic keys) and exchange these. Each party need only tnist the CA to 
be able to be sure that the certificate guanuitees the assodation between die other party 

20 and their public key. 

The mechanism for obtaining pubUc-private key pairs and certificates is complicated 
and con^utationally intensive, and beyond the capabiUties of many mobile tenninals. 
This data is therefore created by the operator of the PLMN 5 rather than by the mobUe 

25 tenninals directly. TTie operator is already responsible for the allocation of ordinary 
telephone numbers, and provides SIM cards to users aUowing them to use particular 
telephone numbers. It is therefore possible for the operator to add the public-private 
key pairs and certificates to the SIM cards issued to users. The certificates can use the 
aUocated telephone number or the SIM cards unique IMSI as part of the identification 

30 informatiorL 

The sequence of events leading to the proper initiaKsation of a mobUe tenninal with the 
appropriate keys and certificates is shown in Figure 2 and is as follows: 
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1 . The SIM card 9 is manufactured and programmed by or on behalf of the operator. 

2. The opoator's chosen CA 8 is requested to create and provide a new public - 
private key pair. Altmiatively, diis can be performed mside the SIM card 9 so that 
the private key cannot "leak** out, wUM the public key remains visible. The 
operator may in some circumstances act as a CA. 

3. The CA 8 constructs a new certificate for the key pair, and assigns the necessary 
names, prefierably using tibe E.164 phone number as a part of the ASN.l 
Distinguished Name in the X.S09 certificate format E.164 or +358 40 ... format 
numbers are by definition globaUy unique. 

4. The operator or his agent stores the keys and the cotificates on the SIM card 9. 

The SIM card 9 is thus equipped with a public-private key pair and a c«tificate 
guaranteeing the association of the public key with the E.164 address or telephone 
number. When die card is ins^ted into the appropriate slot of the mobile terminal 4 and 
die terminal is switched on and registered with die network 5, the terminal 4 is in a 
positicm to initiate IKE negotiation widi die corporate intrant gateway 2. 

The gateway authenticates and authorises die user as follows (shown in Figure 3): 

1. The mobile terminal 4 opens KE Phase 1 negotiation by sending the pre-stored 
certificate (containing its public key) to the gat^ay 4. Using die public key of die 
CA 8, the gateway 2 decrypts the signature contained in die c^tificate, and uses this 
to verify die association between the public key and identity (E.164 number) pair. 

2. The mobile temiinal 4 sends a message encrypted with its private key to the 
gateway 2. 

3. The gateway 2 unencrypts the message using the public key of the terminal's public- 
private key pair. Assuming that the decryption process is successful, the gateway 2 
can be sure of the identity of the mobile terminal 4. 



4. The gateway 2 then proceeds to audiorise the user by looking \sp the E.164 number 
or telqihone number fiom a local database 7 (and ''access pCTnissions'* database). 
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Hiis database may be constructed manuaUy and contains a list of allowed users and 
tbeir access ri^ts. If listed, tbe mobile terminal 4 is allowed to connect 

5. Steps 1 to 3 are then repeated in reverse to authenticate the gateway 2 to the mobUe 
terminal 4. 

KE Phase 2 negotiation then proceeds between the mobUe terminal and the gateway to 
detennine SAs for IPSec enoyption. 

If the host/gateway with whidi the mobile terminal wants to communicate is another 
terminal of tiie same operator (or the same group of operators), then the opendor's root 
certificate can easily verify the identity of the other party. It only remains to describe 
the identities of the involved CA parties to the terminal's user and ask verification if he 
or she trusts this chaitL 



15 



It will be appreciated by a peraon skiDed in the art that variations may be made to the 
above described embodiment without dqwrting fioom Ae scope of the mvention. 
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CLAIMS: 

1. A method of facilitating the authentication of an IP data transfer between a 
mobile wireless tenninal and a netwotk node via a radio access network (RAN), the 

S method conqmsing the steps of: 

genesrating a public-private key pair, 

obtaining a certificate containing said public key» a unique identifier allocated to 
a subscribCT> and a signature guaranteeing tbzt the public key is associated with the 
unique identifier, the unique identifier bdng an identifier allocated to the tenninal for 
10 the purpose of using the RAN; 

storing die key pair and the c^tificate on a subscriber identity module (SIM) 

card; 

coiq>ling the SIM card to the mobile wireless tenninal so tiiat processing means 
of ttie terminal can access the key pair and die certificate; and 
IS sending die certificate to a network node, whoreby die n^ork node can use die 

certificate to authenticate die subscriber. 

2. A method according to claim 1 and comprising, at die networic node, using die 
received certificate to identify the subscriber and determining the subscriber's access 

20 rigjits using an access permissions database. 

3. A mediod according to claim 1 or 2, wherein the mobile wireless device has the 
c^ability to register with a GSM network or a UMTS network. 

25 4. A method according to any one of the preceding claims, wherein the terminal is 
a mobile telq>hone or communicator or a PDA, or a palmtop or laptop computer having 
mobile wireless &cilities. 

5. A mediod according to any one of the preceding claims, where said unique 
30 identity aUocated to a subscriber is the telqihone number of die subscriber, or is an 
Intemadonal Mobile Subscriber Identity (IMSI) code. 



MACP51336GB 



11 

6. A method according to any one of the preceding claims^ whmin the certificate 
is generated by a Certification Authority (CA) which signs flie cwtificate to guarantee 
^e association of the key pair and ttie unique identifier. 

5 7. A method accorxiing to any one of the preceding claim» wherein the SIM card 
recorxis the unique identity, and the operator of the mobile netwoik is trusted to store 
key pairs and cotificates on SIM cards having the correct unique identifiers. 

8. A method of authenticating IP data transfer betweoi a mobile wireless tenninal 
10 and a networic node via a radio access network (RAN), the mobile terminal comprismg 

a SIM card having stored th^eon a public-private key pair and a certificate containmg 
at least the public key, a unique identifier being an identifier allocated to the tenninal 
for the purpose of using ihe RAN, and a signature guaranteemg that tfie public k^ is 
associated witfi fhe unique identifier, the method comprising: 
1 S sending ttie certificate Gconx the mobile tenninal to the node: 

authfiiti>4>tiPE ^ terminal using said cotificate; and 
auttiorising the teiminal to access a sovice of tiie node on tbc basis of said identifier. 

9. A metitiod of facilitating the authentication of IP data transfer between a mobile 
20 wireless tennirial and a network node, the meflKXi comprising the steps of: 

1) registering a subscriber to a mobile wireless telecommunications network; 

2) genCTating a public-private key pair, 

3) obtaining a certificate fit>m a certification authority (CA) containing at least 
the public key, a unique identifier being an idmtifier allocated to the tenninal for tiie 

25 purpose of using the telecommunications n^oiic, and a signature guaranteeing that the 
public key is associated with the unique identifier, 

4) storing the key pair and the certificate on a subscriber identity module (SIM) 

card; 

5) giving a mobile wireless tenninal to the subscriber together with the SIM 

30 card; and 

7) coupling the SIM card to ^ mobile wireless tenninal 

whereby processing means of the tenninal can access the certificate for sending to a 

remote node and the remote node can authenticate the subscriber on the basis of flie 
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certificate and can authorise access to services of the node on the basis of the unique 
identifin. 
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